Overview

overview

7

Static

static

3

2025-03-21...ia.exe

windows7-x64

7

2025-03-21...ia.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2025, 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-21_07b1087127e38101002b049e95e1ddcf_amadey_mafia.exe

  • Size

    2.7MB

  • MD5

    07b1087127e38101002b049e95e1ddcf

  • SHA1

    394702087a93e47a25f3610c096cdc82747224ca

  • SHA256

    6800e76ac53d68c3576f2293f4447e93496b337ef447cb57be447149a0c4ebfd

  • SHA512

    8e9d1e973d73164108b0a458060f7ec0e1bf24bb0d9186fa5cbf54f927de15a25d5995f66cf0d4fcc0e08703ca5b5d48221a63f53027ed7b91174b614beb6f58

  • SSDEEP

    49152:9HHKO29Qm5QZuTtS0rQMYOQ+q8CEKTG4QaTGHQ89KFeMK:9nKdtWsM0r1QnxK4DKH30FeT

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 10 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-21_07b1087127e38101002b049e95e1ddcf_amadey_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-21_07b1087127e38101002b049e95e1ddcf_amadey_mafia.exe"
    1⤵
    • Unexpected DNS network traffic destination
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4116
  • C:\Windows\Syswow64\681e6ce
    C:\Windows\Syswow64\681e6ce
    1⤵
    • Executes dropped EXE
    • Unexpected DNS network traffic destination
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\681e6ce
    Filesize

    2.7MB

    MD5

    ca60f67bc99db04bd37059e73ae29dc3

    SHA1

    717c52830ce724764d8e549aed5132f0230cdaf7

    SHA256

    ba2a80950a4db0b164b38a1b9c1081d7263f86a57d93992a40858d4a02fcf418

    SHA512

    c747ac83980e44608e95e898794b7923e5d6ec5d0cec34abd49e19a277426668f78ab559eaacec4cb3657edd7f1f730e9f74bf7a4ca9188529cd020b04ed903e

    Download Submit

  • memory/1196-4-0x0000000000A10000-0x0000000000A73000-memory.dmp

    Filesize

    396KB

    Download

  • memory/4116-0-0x00000000000D0000-0x0000000000133000-memory.dmp

    Filesize

    396KB

    Download